[mook]

That's because the client certificate interface in browsers is supremely dumb. It always just lists all certificates you have, with very little context in the UI, and hopes that's good enough. I believe that's part of the reason client certificates are not poplar; having actual users deal with that is terrible, and the browsers (in practice, Chrome because of its overwhelming market share) isn't incentivized to fix it.

[Avamander]

Servers can communicate their preference in terms of CAs they want. But the UX in browsers is unbelievably horrible for no good reason.

Not only is it difficult for an user to make a proper selection, it's also hard to fix a wrong one. The error pages are also terrible. There's no way for the site owner to request that when the navigation to the (auth) page fails, redirect back. Nope, no way to do error handling without some really clever iframe stuff and even then it's way too opaque.

God forbid you have to deal with CORS + mTLS.

[elevation]

> God forbid you have to deal with CORS + mTLS

As someone who is about to deal with exactly this, what kind of trouble am I in for?

[Avamander]

Preflight requests won't be doing mTLS on all browsers.